The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ip | Fedorindutny | * | 1.1.9 (excluding) |
| Ip | Fedorindutny | 2.0.0 (including) | 2.0.0 (including) |
| HawtIO 4.0.0 for Red Hat build of Apache Camel 4 | RedHat | nodejs-ip | * |
| Migration Toolkit for Virtualization 2.5 | RedHat | migration-toolkit-virtualization/mtv-console-plugin-rhel9:2.5.6-4 | * |
| NETWORK-OBSERVABILITY-1.6.0-RHEL-9 | RedHat | network-observability/network-observability-cli-rhel9:v1.6.0-66 | * |
| NETWORK-OBSERVABILITY-1.6.0-RHEL-9 | RedHat | network-observability/network-observability-console-plugin-rhel9:v1.6.0-66 | * |
| NETWORK-OBSERVABILITY-1.6.0-RHEL-9 | RedHat | network-observability/network-observability-ebpf-agent-rhel9:v1.6.0-66 | * |
| NETWORK-OBSERVABILITY-1.6.0-RHEL-9 | RedHat | network-observability/network-observability-flowlogs-pipeline-rhel9:v1.6.0-66 | * |
| NETWORK-OBSERVABILITY-1.6.0-RHEL-9 | RedHat | network-observability/network-observability-operator-bundle:1.6.0-78 | * |
| NETWORK-OBSERVABILITY-1.6.0-RHEL-9 | RedHat | network-observability/network-observability-rhel9-operator:v1.6.0-66 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/mcg-core-rhel9:v4.15.0-68 | * |
| Node-ip | Ubuntu | bionic | * |
| Node-ip | Ubuntu | devel | * |
| Node-ip | Ubuntu | esm-apps/bionic | * |
| Node-ip | Ubuntu | esm-apps/focal | * |
| Node-ip | Ubuntu | esm-apps/jammy | * |
| Node-ip | Ubuntu | focal | * |
| Node-ip | Ubuntu | jammy | * |
| Node-ip | Ubuntu | mantic | * |
| Node-ip | Ubuntu | noble | * |
| Node-ip | Ubuntu | oracular | * |
| Node-ip | Ubuntu | upstream | * |